CVE-2024-9705: Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Template Name Update

4.3 CVSS

Description

The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ucsm_update_template_name_lite' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the name of the plugin's templates.

Classification

CVE ID: CVE-2024-9705

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: rstheme2017

Product: Ultimate Coming Soon & Maintenance

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.18% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/3bef108a-2c68-4347-bf53-559b2d877f6b?source=cve
https://plugins.trac.wordpress.org/browser/ultimate-coming-soon/trunk/backend/tabs-content/templates/frontend-part/display-template.php#L139

Timeline

2024-12-07 00:31:29 UTC
CVE

Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Template Name Update